<?php

  /* TODO: Comments are out of date and incomplete. */

/**
 * FILE:        windowslivelogin.php
 *
 * DESCRIPTION: Sample implementation of Web Authentication and Delegated 
 *              Authentication protocol in PHP. Also includes trusted 
 *              sign-in and application verification sample 
 *              implementations.
 *
 * VERSION:     1.1
 *
 * Copyright (c) 2008 Microsoft Corporation.  All Rights Reserved.
 */

/**
 * Holds the user information after a successful sign-in.
 */
class WLL_User
{

    /**
    * Initialize the User with time stamp, userid, flags, context and token.
    */
    public function __construct($timestamp, $id, $flags, $context, $token)
    {
        self::setTimestamp($timestamp);
        self::setId($id);
        self::setFlags($flags);
        self::setContext($context);
        self::setToken($token);
    }

    private $_timestamp;
    
    /**
     * Returns the Unix timestamp as obtained from the SSO token.
     */
    public function getTimestamp()
    {
        return $this->_timestamp;
    }

    /**
     * Sets the Unix timestamp.
     */
    private function setTimestamp($timestamp)
    {
        if (!$timestamp) {
            throw new Exception('Error: WLL_User: Null timestamp.');
        }

        if (!preg_match('/^\d+$/', $timestamp) || ($timestamp <= 0)) {
            throw new Exception('Error: WLL_User: Invalid timestamp: ' 
                                . $timestamp);
        }
        
        $this->_timestamp = $timestamp;
    }

    private $_id;

    /**
     * Returns the pairwise unique ID for the user.
     */
    public function getId()
    {
        return $this->_id;
    }

    /**
     * Sets the pairwise unique ID for the user.
     */
    private function setId($id)
    {
        if (!$id) {
            throw new Exception('Error: WLL_User: Null id.');
        }

        if (!preg_match('/^\w+$/', $id)) {
            throw new Exception('Error: WLL_User: Invalid id: ' . $id);
        }
        
        $this->_id = $id;
    }

    private $_usePersistentCookie;

    /**
     * Indicates whether the application is expected to store the
     * user token in a session or persistent cookie.
     */
    public function usePersistentCookie() 
    {
        return $this->_usePersistentCookie;
    }

    /**
     * Sets the usePersistentCookie flag for the user.
     */
    private function setFlags($flags)
    {
        $this->_usePersistentCookie = false;
        if (preg_match('/^\d+$/', $flags)) {
            $this->_usePersistentCookie = (($flags % 2) == 1);
        }
    }

    private $_context;
    
    /** 
     * Returns the application context that was originally passed
     * to the sign-in request, if any.
     */
    public function getContext()
    {
        return $this->_context;
    }

    /**
     * Sets the the Application context.
     */
    private function setContext($context)
    {
        $this->_context = $context;
    }

    private $_token;

    /**
     * Returns the encrypted Web Authentication token containing 
     * the UID. This can be cached in a cookie and the UID can be
     * retrieved by calling the ProcessToken method.
     */
    public function getToken()
    {
        return $this->_token;
    }

    /**
     * Sets the the User token.
     */
    private function setToken($token)
    {
        $this->_token = $token;
    }
}

/**
 * Holds the Consent Token object corresponding to consent granted. 
 */
class WLL_ConsentToken
{
    /**
     * Indicates whether the delegation token is set and has not expired.
     */
    public function isValid()
    {
        if (!self::getDelegationToken()) {
            return false;
        }
        
        $now = time();
        return (($now-300) < self::getExpiry());
    }

    /**
     * Refreshes the current token and replace it. If operation succeeds 
     * true is returned to signify success.
     */
    public function refresh()
    {
        $wll = $this->_wll;
        $ct = $wll->refreshConsentToken($this);
        if (!$ct) {
            return false;
        }
        self::copy($ct);
        return true;
    }

    private $_wll;

    /**
     * Initialize the ConsentToken module with the WindowsLiveLogin, 
     * delegation token, refresh token, session key, expiry, offers, 
     * location ID, context, decoded token, and raw token.
     */    
    public function __construct($wll, $delegationtoken, $refreshtoken, 
                                $sessionkey, $expiry, $offers, $locationID, $context, 
                                $decodedtoken, $token)
    {
        $this->_wll = $wll;
        self::setDelegationToken($delegationtoken);
        self::setRefreshToken($refreshtoken);
        self::setSessionKey($sessionkey);
        self::setExpiry($expiry);
        self::setOffers($offers);
        self::setLocationID($locationID);
        self::setContext($context);
        self::setDecodedToken($decodedtoken);
        self::setToken($token);
    }

    private $_delegationtoken;

    /**
     * Gets the Delegation token.
     */
    public function getDelegationToken()
    {
        return $this->_delegationtoken;
    }

    /**
     * Sets the Delegation token.
     */
    private function setDelegationToken($delegationtoken)
    {
        if (!$delegationtoken) {
            throw new Exception('Error: WLL_ConsentToken: Null delegation token.');
        }
        $this->_delegationtoken = $delegationtoken;
    }

    private $_refreshtoken;

    /**
     * Gets the refresh token.
     */
    public function getRefreshToken()
    {
        return $this->_refreshtoken;
    }

    /**
     * Sets the refresh token.
     */
    private function setRefreshToken($refreshtoken)
    {
        $this->_refreshtoken = $refreshtoken;
    }

    private $_sessionkey;

    /**
     * Gets the session key.
     */
    public function getSessionKey()
    {
        return $this->_sessionkey;
    }

    /**
     * Sets the session key.
     */
    private function setSessionKey($sessionkey)
    {
        if (!$sessionkey) {
            throw new Exception('Error: WLL_ConsentToken: Null session key.');
        }
        $this->_sessionkey = base64_decode(urldecode($sessionkey));
    }

    private $_expiry;
    
    /**
     * Gets the expiry time of delegation token.
     */
    public function getExpiry()
    {
        return $this->_expiry;
    }

    /**
     * Sets the expiry time of delegation token.
     */
    private function setExpiry($expiry)
    {
        if (!$expiry) {
            throw new Exception('Error: WLL_ConsentToken: Null expiry time.');
        }

        if (!preg_match('/^\d+$/', $expiry) || ($expiry <= 0)) {
            throw new Exception('Error: WLL_ConsentToken: Invalid expiry time: '
                                . $expiry);
        }
        $this->_expiry = $expiry;
    }
    
    private $_offers;

    /**
     * Gets the list of offers/actions for which the user granted consent.
     */
    public function getOffers()
    {
        return $this->_offers;
    }

    private $_offers_string;

    /**
     * Gets the string representation of all the offers/actions for which 
     * the user granted consent.
     */
    public function getOffersString()
    {
        return $this->_offers_string;
    }

    /**
     * Sets the offers/actions for which user granted consent.
     */
    private function setOffers($offers)
    {
        if (!$offers) {
            throw new Exception('Error: WLL_ConsentToken: Null offers.');
        }
        
        $off_s = "";
        $off = array();

        $offers = urldecode($offers);
        $offers = split(";", $offers);
        foreach ($offers as $offer) {
            $offer = split(":", $offer);
            $offer = $offer[0];
            if ($off_s) {
                $off_s .= ",";
            }
            $off_s .= $offer;
            $off[] = $offer;
        }

        $this->_offers_string = $off_s;
        $this->_offers = $off;
    }
    
    private $_locationID;
    /**
     * Gets the location ID.
     */
    public function getLocationID()
    {
        return $this->_locationID;
    }

    /**
     * Sets the location ID.
     */
    private function setLocationID($locationID)
    {
        if (!$locationID) {
            throw new Exception('Error: WLL_ConsentToken: Null Location ID.');
        }    
        $this->_locationID = $locationID;
    }

    private $_context;
    /**
     * Returns the application context that was originally passed
     * to the sign-in request, if any.
     */
    public function getContext()
    {
        return $this->_context;
    }

    /**
     * Sets the application context.
     */
    private function setContext($context)
    {
        $this->_context = $context;
    }

    private $_decodedtoken;
    /**
     * Gets the decoded token.
     */
    public function getDecodedToken()
    {
        return $this->_decodedtoken;
    }

    /**
     * Sets the decoded token.
     */
    private function setDecodedToken($decodedtoken)
    {
        $this->_decodedtoken = $decodedtoken;
    }

    private $_token;

    /**
     * Gets the raw token.
     */
    public function getToken()
    {
        return $this->_token;
    }

    /**
     * Sets the raw token.
     */
    private function setToken($token)
    {
        $this->_token = $token;
    }

    /**
     * Makes a copy of the ConsentToken object.
     */
    private function copy($ct)
    {
        $this->_delegationtoken = $ct->_delegationtoken;
        $this->_refreshtoken = $ct->_refreshtoken;
        $this->_sessionkey = $ct->_sessionkey;
        $this->_expiry = $ct->_expiry;
        $this->_offers = $ct->_offers;
        $this->_offers_string = $ct->_offers_string;
        $this->_locationID = $ct->_locationID;
        $this->_decodedtoken = $ct->_decodedtoken;
        $this->_token = $ct->_token;
    }
}

class WindowsLiveLogin
{
    /* Implementation of basic methods for Web Authentication support. */

    private $_debug = false;

    /**
     * Stub implementation for logging errors. If you want to enable
     * debugging output, set this to true. In this implementation
     * errors will be logged using the PHP error_log function.
     */
    public function setDebug($debug)
    {
        $this->_debug = $debug;
    }

    /**
     * Stub implementation for logging errors. By default, this
     * function does nothing if the debug flag has not been set with
     * setDebug. Otherwise, errors are logged using the PHP error_log
     * function.
     */
    private function debug($string)
    {
        if ($this->_debug) {
            error_log($string);
        }
    }
    
    /**
     * Stub implementation for handling a fatal error.
     */
    private function fatal($string)
    {
        self::debug($string);
        throw new Exception($string);
    }
    
    /**
     * Initialize the WindowsLiveLogin module with the application ID,
     *   secret key, and security algorithm.  
     *
     *  We recommend that you employ strong measures to protect the
     *  secret key. The secret key should never be exposed to the Web
     *  or other users.
     *
     *  Be aware that if you do not supply these settings at
     *  initialization time, you may need to set the corresponding
     *  properties manually.
     *
     *  For Delegated Authentication, you may optionally specify the
     *  privacy policy URL and return URL. If you do not specify these
     *  values here, the default values that you specified when you
     *  registered your application will be used.  
     *
     *  The 'force_delauth_nonprovisioned' flag also indicates whether
     *  your application is registered for Delegated Authentication 
     *  (that is, whether it uses an application ID and secret key). We 
     *  recommend that your Delegated Authentication application always 
     *  be registered for enhanced security and functionality.
     */
    public function __construct($appid=null, $secret=null, $securityalgorithm=null,
                                $force_delauth_nonprovisioned=null,
                                $policyurl=null, $returnurl=null)
    {
        self::setForceDelAuthNonProvisioned($force_delauth_nonprovisioned);
        
        if ($appid) {
            self::setAppId($appid);
        }
        if ($secret) {
            self::setSecret($secret);
        }
        if ($securityalgorithm) {
            self::setSecurityAlgorithm($securityalgorithm);
        }
        if ($policyurl) {
            self::setPolicyUrl($policyurl);
        }
        if ($returnurl) {
            self::setReturnUrl($returnurl);
        }
    }

    /**
     * Initialize the WindowsLiveLogin module from a settings file. 
     *
     *  'settingsFile' specifies the location of the XML settings file
     *  that contains the application ID, secret key, and security
     *  algorithm. The file is of the following format:
     *
     *  <windowslivelogin>
     *    <appid>APPID</appid>
     *    <secret>SECRET</secret>
     *    <securityalgorithm>wsignin1.0</securityalgorithm>
     *  </windowslivelogin>
     *
     *  In a Delegated Authentication scenario, you may also specify
     *  'returnurl' and 'policyurl' in the settings file, as shown in the
     *  Delegated Authentication samples.
     *
     *  We recommend that you store the WindowsLiveLogin settings file
     *  in an area on your server that cannot be accessed through the 
     *  Internet. This file contains important confidential information.
     */
    public static function initFromXml($settingsFile)
    {
        $o = new WindowsLiveLogin();
        $settings = $o->parseSettings($settingsFile);
        
        if (@$settings['debug'] == 'true') {
            $o->setDebug(true);
        }
        else {
            $o->setDebug(false);
        }

        if (@$settings['force_delauth_nonprovisioned'] == 'true') {
            $o->setForceDelAuthNonProvisioned(true);
        }
        else {
            $o->setForceDelAuthNonProvisioned(false);
        }

        $o->setAppId(@$settings['appid']);
        $o->setSecret(@$settings['secret']);
        $o->setOldSecret(@$settings['oldsecret']);
        $o->setOldSecretExpiry(@$settings['oldsecretexpiry']);
        $o->setSecurityAlgorithm(@$settings['securityalgorithm']);
        $o->setPolicyUrl(@$settings['policyurl']);
        $o->setReturnUrl(@$settings['returnurl']);        
        $o->setBaseUrl(@$settings['baseurl']);
        $o->setSecureUrl(@$settings['secureurl']);
        $o->setConsentBaseUrl(@$settings['consenturl']);
        return $o;
    }

    private $_appid;

    /**
     * Sets the application ID. Use this method if you did not specify
     * an application ID at initialization.
     **/
    public function setAppId($appid)
    {
        $_force_delauth_nonprovisioned = $this->_force_delauth_nonprovisioned;
        if (!$appid) {
            if ($_force_delauth_nonprovisioned) {
                return;
            }
            self::fatal('Error: setAppId: Null application ID.');
        }
        if (!preg_match('/^\w+$/', $appid)) {
            self::fatal("Error: setAppId: Application ID must be alpha-numeric: $appid");
        }
        $this->_appid = $appid;
    }

    /**
     * Returns the application ID.
     */
    public function getAppId()
    {
        if (!$this->_appid) {
            self::fatal('Error: getAppId: Application ID was not set. Aborting.');
        }
        return $this->_appid;
    }

    private $_signkey;
    private $_cryptkey;
    
    /**
     * Sets your secret key. Use this method if you did not specify
     * a secret key at initialization.
     */
    public function setSecret($secret)
    {
        $_force_delauth_nonprovisioned = $this->_force_delauth_nonprovisioned;
        if (!$secret || (strlen($secret) < 16)) {
            if ($_force_delauth_nonprovisioned) {
                return;
            }
            self::fatal("Error: setSecret: Secret key is expected to be non-null and longer than 16 characters.");
        }
        
        $this->_signkey  = self::derive($secret, "SIGNATURE");
        $this->_cryptkey = self::derive($secret, "ENCRYPTION");
    }

    private $_oldsignkey;
    private $_oldcryptkey;

    /**
     * Sets your old secret key.
     *
     * Use this property to set your old secret key if you are in the
     * process of transitioning to a new secret key. You may need this 
     * property because the Windows Live ID servers can take up to 
     * 24 hours to propagate a new secret key after you have updated 
     * your application settings.
     *
     * If an old secret key is specified here and has not expired
     * (as determined by the oldsecretexpiry setting), it will be used
     * as a fallback if token decryption fails with the new secret 
     * key.
     */
    public function setOldSecret($secret)
    {
        if (!$secret) {
            return;
        }
        if (strlen($secret) < 16) {
            self::fatal("Error: setOldSecret: Secret key is expected to be non-null and longer than 16 characters.");
        }
        
        $this->_oldsignkey  = self::derive($secret, "SIGNATURE");
        $this->_oldcryptkey = self::derive($secret, "ENCRYPTION");
    }

    private $_oldsecretexpiry;

    /**
     * Sets the expiry time for your old secret key.
     *
     * After this time has passed, the old secret key will no longer be
     * used even if token decryption fails with the new secret key.
     *
     * The old secret expiry time is represented as the number of seconds
     * elapsed since January 1, 1970. 
     */
    public function setOldSecretExpiry($timestamp)
    {
        if (!$timestamp) {
            return;
        }

        if (!preg_match('/^\d+$/', $timestamp) || ($timestamp <= 0)) {
            self::fatal('Error: setOldSecretExpiry Invalid timestamp: '
                        . $timestamp);
        }
        
        $this->_oldsecretexpiry = $timestamp;
    }

    /**
     * Gets the old secret key expiry time.
     */
    public function getOldSecretExpiry()
    {
        return $this->_oldsecretexpiry;
    }

    private $_securityalgorithm;

    /**
     * Sets the version of the security algorithm being used.
     */
    public function setSecurityAlgorithm($securityalgorithm)
    {
        $this->_securityalgorithm = $securityalgorithm;
    }

    /**
     * Gets the version of the security algorithm being used.
     */
    public function getSecurityAlgorithm()
    {
        $securityalgorithm = $this->_securityalgorithm;
        if (!$securityalgorithm) {
            return 'wsignin1.0';
        }
        return $securityalgorithm;
    }

    private $_force_delauth_nonprovisioned;

    /**
     * Sets a flag that indicates whether Delegated Authentication
     * is non-provisioned (i.e. does not use an application ID or secret
     * key).
     */
    public function setForceDelAuthNonProvisioned($force_delauth_nonprovisioned)
    {
        $this->_force_delauth_nonprovisioned = $force_delauth_nonprovisioned;
    }

    private $_policyurl;

    /**
     * Sets the privacy policy URL if you did not provide one at initialization time.
     */
    public function setPolicyUrl($policyurl)
    {
        $_force_delauth_nonprovisioned = $this->_force_delauth_nonprovisioned;
        if (!$policyurl) {
            if ($_force_delauth_nonprovisioned) {
                self::fatal("Error: setPolicyUrl: Null policy URL given.");
            }
        }
        $this->_policyurl = $policyurl;
    }

    /**
     * Gets the privacy policy URL for your site.
     */
    public function getPolicyUrl()
    {
        $policyurl = $this->_policyurl;
        $_force_delauth_nonprovisioned = $this->_force_delauth_nonprovisioned;
        if (!$policyurl) {
            self::debug("Warning: In the initial release of Delegated Auth, a Policy URL must be configured in the SDK for both provisioned and non-provisioned scenarios.");
            if ($_force_delauth_nonprovisioned) {
                self::fatal("Error: getPolicyUrl: Policy URL must be set in a Del Auth non-provisioned scenario. Aborting.");
            }
        }
        return $policyurl;
    }

    private $_returnurl;

    /**
     * Sets the return URL--the URL on your site to which the consent 
     *  service redirects users (along with the action, consent token, 
     *  and application context) after they have successfully provided 
     *  consent information for Delegated Authentication. This value will 
     *  override the return URL specified during registration.
     */
    public function setReturnUrl($returnurl)
    {
        $_force_delauth_nonprovisioned = $this->_force_delauth_nonprovisioned;
        if (!$returnurl) {
            if ($_force_delauth_nonprovisioned) {
                self::fatal("Error: setReturnUrl: Null return URL given.");
            }
        }
        $this->_returnurl = $returnurl;
    }

    /**
     * Returns the return URL of your site.
     */
    public function getReturnUrl()
    {
        $_force_delauth_nonprovisioned = $this->_force_delauth_nonprovisioned;
        $returnurl = $this->_returnurl;
        if (!$returnurl) {
            if ($_force_delauth_nonprovisioned) {
                self::fatal("Error: getReturnUrl: Return URL must be set in a Del Auth non-provisioned scenario. Aborting.");
            }
        }
        return $returnurl;
    }

    private $_baseurl;

    /**
     * Sets the base URL to use for the Windows Live Login server. 
     *  You should not have to change this property. Furthermore, we recommend 
     *  that you use the Sign In control instead of the URL methods
     *  provided here.
     */
    public function setBaseUrl($baseurl) 
    {
        $this->_baseurl = $baseurl;
    }

    /**
     * Gets the base URL to use for the Windows Live Login server. 
     * You should not have to use this property. Furthermore, we recommend 
     * that you use the Sign In control instead of the URL methods 
     * provided here.
     */
    public function getBaseUrl() 
    {
        $baseurl = $this->_baseurl;
        if (!$baseurl) {
            return "http://login.live.com/";
        }
        return $baseurl;
    }

    private $_secureurl;

    /**
     * Sets the secure (HTTPS) URL to use for the Windows Live Login 
     * server. You should not have to change this property.
     */
    public function setSecureUrl($secureurl) 
    {
        $this->_secureurl = $secureurl;
    }

    /**
     * Gets the secure (HTTPS) URL to use for the Windows Live Login 
     * server. You should not have to use this functon directly.
     */
    public function getSecureUrl() 
    {
        $secureurl = $this->_secureurl;
        if (!$secureurl) {
            return "https://login.live.com/";
        }
        return $secureurl;
    }

    private $_consenturl;

    /**
     * Sets the Consent Base URL to use for the Windows Live Consent 
     * server. You should not have to use or change this property directly.
     */
    public function setConsentBaseUrl($consenturl) 
    {
        $this->_consenturl = $consenturl;
    }

    /**
     * Gets the URL to use for the Windows Live Consent server. You
     * should not have to use or change this directly.
     */
    public function getConsentBaseUrl() 
    {
        $consenturl = $this->_consenturl;
        if (!$consenturl) {
            return "https://consent.live.com/";
        }
        return $consenturl;
    }

    /* Methods for Web Authentication support. */

    /**
     * Returns the sign-in URL to use for the Windows Live Login server. 
     * We recommend that you use the Sign In control instead.
     *   
     * If you specify it, 'context' will be returned as-is in the sign-in
     * response for site-specific use.     
     */
    public function getLoginUrl($context=null, $market=null)
    {
        $url  = self::getBaseUrl(); 
        $url .= 'wlogin.srf?appid=' . self::getAppId();
        $url .= '&alg=' . self::getSecurityAlgorithm();
        $url .= ($context ? '&appctx=' . urlencode($context) : '');
        $url .= ($market ? '&mkt=' . urlencode($market) : '');
        return $url;
    }
    
    /**
     * Returns the sign-out URL to use for the Windows Live Login server. 
     * We recommend that you use the Sign In control instead.
     */
    public function getLogoutUrl($market=null)
    {
        $url = self::getBaseUrl();
        $url .= "logout.srf?appid=" . self::getAppId();
        $url .= ($market ? '&mkt=' . urlencode($market) : '');
        return $url;
    }

    /**
     * Processes the sign-in response from Windows Live Login server.
     * 
     * @param query contains the preprocessed POST query, a map of
     *              Strings to an an array of Strings, such as that 
     *              returned by ServletRequest.getParameterMap().
     * @return      a User object on successful sign-in; otherwise null.
     */
    public function processLogin($query)
    {        
        $action = @$query['action'];
        if ($action != 'login') {
            self::debug("Warning: processLogin: query action ignored: $action");
            return;
        }
        $token  = @$query['stoken'];
        $context = urldecode(@$query['appctx']);
        return self::processToken($token, $context);
    }

    /**
     * Decodes and validates a Web Authentication token. Returns a User 
     * object on success. If a context is passed in, it will be returned 
     * as the context field in the User object.
     */
    public function processToken($token, $context=null)
    {
        if (!$token) {
            self::debug('Error: processToken: Invalid token specified.');
            return;
        }

        $decodedToken = self::decodeAndValidateToken($token);
        if (!$decodedToken) {
            self::debug("Error: processToken: Failed to decode/validate token: $token");
            return;
        }

        $parsedToken = self::parse($decodedToken);
        if (!$parsedToken) {
            self::debug("Error: processToken: Failed to parse token after decoding: $token");
            return;
        }
        
        $appid = self::getAppId();
        $tokenappid = @$parsedToken['appid'];
        if ($appid != $tokenappid) {
            self::debug("Error: processToken: Application ID in token did not match ours: $tokenappid, $appid");
            return;
        }

        $user = null;

        try {
            $user = new WLL_User(@$parsedToken['ts'], 
                                 @$parsedToken['uid'], 
                                 @$parsedToken['flags'], 
                                 $context, $token);
        } catch (Exception $e) {
            self::debug("Error: processToken: Contents of token considered invalid: " + $e->getMessage());
        }
        
        return $user;
    }
    
    /**
     * Returns an appropriate content type and body response that the 
     * application handler can return to signify a successful sign-out 
     * from the application.
     *  
     * When a user signs out of Windows Live or a Windows Live
     * application, a best-effort attempt is made at signing the user out
     * from all other Windows Live applications the user might be signed
     * in to. This is done by calling the handler page for each
     * application with 'action' set to 'clearcookie' in the query
     * string. The application handler is then responsible for clearing
     * any cookies or data associated with the sign-in. After successfully
     * signing the user out, the handler should return a GIF (any GIF)
     * image as response to the 'action=clearcookie' query.
     */
    public function getClearCookieResponse()
    {
        $type = "image/gif";
        $content = "R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAEALAAAAAABAAEAAAIBTAA7";
        $content = base64_decode($content);
        return array($type, $content);
    }

    /* Methods for Delegated Authentication. */

    /*
     * Returns the consent URL to use for Delegated Authentication for
     * the given comma-delimited list of offers.
     *
     * If you specify it, 'context' will be returned as-is in the consent
     * response for site-specific use.
     *
     * The registered/configured return URL can also be overridden by 
     * specifying 'ru' here.
     *
     * You can change the language in which the consent page is displayed
     * by specifying a culture ID (For example, 'fr-fr' or 'en-us') in the
     * 'market' parameter.
     */
    public function getConsentUrl($offers, $context=null, $ru=null, $market=null)
    {
        if (!$offers) {
            throw new Exception('Error: getConsentUrl: Invalid offers list.');
        }
        $url  = self::getConsentBaseUrl(); 
        $url .= 'Delegation.aspx?ps=' . urlencode($offers);
        $ru = ($ru ? $ru : self::getReturnUrl());
        $url .= ($ru ? '&ru=' . urlencode($ru) : '');
        $pl = self::getPolicyUrl();
        $url .= ($pl ? '&pl=' . urlencode($pl) : '');
        $url .= ($market ? '&mkt=' . urlencode($market) : '');
        if (!$this->_force_delauth_nonprovisioned) {
            $url .= '&app=' . self::getAppVerifier();
        }
        $url .= ($context ? '&appctx=' . urlencode($context) : '');
        return $url;
    }

    /*
     * Returns the URL to use to download a new consent token, given the 
     * offers and refresh token.
     *
     * The registered/configured return URL can also be overridden by 
     * specifying 'ru' here.      
     */
    public function getRefreshConsentTokenUrl($offers, $refreshtoken, $ru=null)
    {
        $_force_delauth_nonprovisioned = $this->_force_delauth_nonprovisioned;
        if (!$offers) {
            throw new Exception('Error: getRefreshConsentTokenUrl: Invalid offers list.');
        }
        if (!$refreshtoken) {
            throw new Exception('Error: getRefreshConsentTokenUrl: Invalid refresh token.');
        }

        $url  = self::getConsentBaseUrl(); 
        $url .= 'RefreshToken.aspx?ps=' . urlencode($offers);
        $url .= '&reft=' . $refreshtoken;
        $ru = ($ru ? $ru : self::getReturnUrl());
        $url .= ($ru ? '&ru=' . urlencode($ru) : '');

        if (!$this->_force_delauth_nonprovisioned) {
            $url .= '&app=' . self::getAppVerifier();
        }

        return $url;
    }

    /*
     * Returns the URL for the consent-management user interface.
     *
     * You can change the language in which the consent page is displayed
     * by specifying a culture ID (For example, 'fr-fr' or 'en-us') in the
     * 'market' parameter.     
     */
    public function getManageConsentUrl($market=null) 
    {
        $url  = self::getConsentBaseUrl(); 
        $url .= 'ManageConsent.aspx';
        $url .= ($market ? '?mkt=' . urlencode($market) : '');
        return $url;
    }

    /*
     * Processes the POST response from the Delegated Authentication 
     * service after a user has granted consent. The processConsent
     * function extracts the consent token string and returns the result 
     * of invoking the processConsentToken method. 
     */
    public function processConsent($query)
    {        
        $action = @$query['action'];
        if ($action != 'delauth') {
            self::debug("Warning: processConsent: query action ignored: $action");
            return;
        }
        $responsecode = @$query['ResponseCode'];
        if ($responsecode != 'RequestApproved') {
            self::debug("Warning: processConsent: consent was not successfully granted: $responsecode");
            return;
        }
        $token  = @$query['ConsentToken'];
        $context = urldecode(@$query['appctx']);
        return self::processConsentToken($token, $context);
    }

    /*
     * Processes the consent token string that is returned in the POST 
     * response by the Delegated Authentication service after a 
     * user has granted consent.
     */
    public function processConsentToken($token, $context=null)
    {
        if (!$token) {
            self::debug('Error: processConsentToken: Null token.');
            return;
        }
        
        $decodedToken = $token;
        $parsedToken = self::parse(urldecode($decodedToken));
        if (!$parsedToken) {
            self::debug("Error: processConsentToken: Failed to parse token: $token");
            return;
        }

        $eact = @$parsedToken['eact'];
        if ($eact) {
            $decodedToken = self::decodeAndValidateToken($eact);
            if (!$decodedToken) {
                self::debug("Error: processConsentToken: Failed to decode/validate token: $token");
                return;
            }
            $parsedToken = self::parse($decodedToken);
            if (!$parsedToken) {
                self::debug("Error: processConsentToken: Failed to parse token after decoding: $token");
                return;
            }
            $decodedToken = urlencode($decodedToken);
        }
        
        $consenttoken = null;

        try {
            $consenttoken = new WLL_ConsentToken($this,
                                                @$parsedToken['delt'], 
                                                @$parsedToken['reft'], 
                                                @$parsedToken['skey'], 
                                                @$parsedToken['exp'], 
                                                @$parsedToken['offer'], 
                                                @$parsedToken['lid'],
                                                $context, $decodedToken, $token);
        } catch (Exception $e) {
            self::debug("Error: processConsentToken: Contents of token considered invalid: " + $e->getMessage());
        }
        return $consenttoken;
    }

    /*
     * Attempts to obtain a new, refreshed token and return it. The 
     * original token is not modified.
     */
    public function refreshConsentToken($token, $ru=null)
    {
        if (!$token) {
            self::debug("Error: refreshConsentToken: Null consent token.");
            return;
        }
        self::refreshConsentToken2($token->getOffersString(), $token->getRefreshToken(), $ru);
    }

    /*
     * Helper function to obtain a new, refreshed token and return it.
     * The original token is not modified.
     */
    public function refreshConsentToken2($offers_string, $refreshtoken, $ru=null)
    {
        $body = self::fetch(self::getRefreshConsentTokenUrl($offers_string, $refreshtoken, $ru));
        if (!$body) {
            self::debug("Error: refreshConsentToken2: Failed to obtain a new token.");
            return;
        }
            
        preg_match('/\{"ConsentToken":"(.*)"\}/', $body, $matches);
        if(count($matches) == 2) {
            return $matches[1];
        }
        else {
            self::debug("Error: refreshConsentToken2: Failed to extract token: $body");
            return;
        }
    }

    /* Common methods. */

    /*
     * Decodes and validates the token.
     */
    public function decodeAndValidateToken($token, $cryptkey=null, $signkey=null,
                                           $internal_allow_recursion=true)
    {
        if (!$cryptkey) {
            $cryptkey = $this->_cryptkey;
        }
        if (!$signkey) {
            $signkey = $this->_signkey;
        }

        $haveoldsecret = false;
        $oldsecretexpiry = self::getOldSecretExpiry();
        $oldcryptkey = $this->_oldcryptkey;
        $oldsignkey = $this->_oldsignkey;

        if ($oldsecretexpiry and (time() < $oldsecretexpiry)) {
            if ($oldcryptkey and $oldsignkey) {
                $haveoldsecret = true;
            }
        }
        $haveoldsecret = ($haveoldsecret and $internal_allow_recursion);
        
        $stoken = self::decodeToken($token, $cryptkey);

        if ($stoken) {
            $stoken = self::validateToken($stoken, $signkey);
        }

        if (!$stoken and $haveoldsecret) {
            self::debug("Warning: Failed to validate token with current secret, attempting old secret.");
            $stoken = 
              self::decodeAndValidateToken($token, $oldcryptkey, $oldsignkey, false);
        }

        return $stoken;
    }

    /**
     * Decodes the given token string; returns undef on failure.
     *
     * First, the string is URL-unescaped and base64 decoded.
     * Second, the IV is extracted from the first 16 bytes of the string.
     * Finally, the string is decrypted using the encryption key.
     */
    public function decodeToken($token, $cryptkey=null)
    {
        if (!$cryptkey) {
            $cryptkey = $this->_cryptkey;
        }
        if (!$cryptkey) {
            self::fatal("Error: decodeToken: Secret key was not set. Aborting.");
        }
        
        $ivLen = 16;
        $token = self::u64($token);
        $len = strlen($token);
        
        if (!$token || ($len <= $ivLen) || (($len % $ivLen) != 0)) {
            self::debug("Error: decodeToken: Attempted to decode invalid token.");
            return;
        }
        
        $iv      = substr($token, 0, 16);
        $crypted = substr($token, 16);
        $mode    = MCRYPT_MODE_CBC; 
        $enc     = MCRYPT_RIJNDAEL_128;
        return mcrypt_decrypt($enc, $cryptkey, $crypted, $mode, $iv);
    }

    /**
     * Creates a signature for the given string by using the signature
     * key.
     */
    public function signToken($token, $signkey=null)
    {
        if (!$signkey) {
            $signkey = $this->_signkey;
        }
        if (!$signkey) {
            self::fatal("Error: signToken: Secret key was not set. Aborting.");
        }
        
        if (!$token) {
            self::debug("Attempted to sign null token.");
            return;
        }

        return hash_hmac("sha256", $token, $signkey, true);
    }

    /**
     * Extracts the signature from the token and validates it.
     */
    public function validateToken($token, $signkey=null)
    {
        if (!$signkey) {
            $signkey = $this->_signkey;
        }
        if (!$token) {
            self::debug("Error: validateToken: Invalid token.");
            return;
        }

        $split = split("&sig=", $token);
        if (count($split) != 2) {
            self::debug("ERROR: validateToken: Invalid token: $token");
            return;
        }
        list($body, $sig) = $split;

        $sig = self::u64($sig);
        if (!$sig) {
            self::debug("Error: validateToken: Could not extract signature from token.");
            return;
        }

        $sig2 = self::signToken($body, $signkey);
        if (!$sig2) {
            self::debug("Error: validateToken: Could not generate signature for the token.");
            return;
        }
        
          
        if ($sig == $sig2) {
            return $token;    
        }
        
        self::debug("Error: validateToken: Signature did not match.");
        return;
    }

    /* Implementation of the methods needed to perform Windows Live
       application verification as well as trusted sign-in. */

    /**
     * Generates an application verifier token. An IP address can 
     * optionally be included in the token.
     */
    public function getAppVerifier($ip=null)
    {
        $token  = 'appid=' . self::getAppId() . '&ts=' . self::getTimestamp();
        $token .= ($ip ? "&ip={$ip}" : '');
        $token .= '&sig=' . self::e64(self::signToken($token));
        return urlencode($token);
    }

    /**
     * Returns the URL that is required to retrieve the application 
     * security token.
     *
     * By default, the application security token is generated for 
     * the Windows Live site; a specific Site ID can optionally be 
     * specified in 'siteid'. The IP address can also optionally be 
     * included in 'ip'.
     *
     * If 'js' is nil, a JavaScript Output Notation (JSON) response is 
     * returned in the following format: 
     *
     *  {"token":"<value>"}
     *
     * Otherwise, a JavaScript response is returned. It is assumed that
     * WLIDResultCallback is a custom function implemented to handle the
     * token value:
     *
     * WLIDResultCallback("<tokenvalue>");
     */
    public function getAppLoginUrl($siteid=null, $ip=null, $js=null)
    {
        $url  = self::getSecureUrl();
        $url .= 'wapplogin.srf?app=' . self::getAppVerifier($ip);
        $url .= '&alg=' . self::getSecurityAlgorithm();
        $url .= ($siteid ? "&id=$siteid" : '');
        $url .= ($js ? '&js=1' : '');
        return $url;
    }

    /**
     * Retrieves the application security token for application
     * verification from the application sign-in URL.  
     *
     * By default, the application security token will be generated for
     * the Windows Live site; a specific Site ID can optionally be
     * specified in 'siteid'. The IP address can also optionally be
     * included in 'ip'.
     *
     * Implementation note: The application security token is downloaded
     * from the application sign-in URL in JSON format:
     *
     * {"token":"<value>"}
     *
     * Therefore we must extract <value> from the string and return it as
     *  seen here.
     */
    public function getAppSecurityToken($siteid=null, $ip=null)
    {
        $body = self::fetch(self::getAppLoginUrl($siteid, $ip));
        if (!$body) {
            self::debug("Error: getAppSecurityToken: Could not fetch the application security token.");
            return;
        }
            
        preg_match('/\{"token":"(.*)"\}/', $body, $matches);
        if(count($matches) == 2) {
            return $matches[1];
        }
        else {
            self::debug("Error: getAppSecurityToken: Failed to extract token: $body");
            return;
        }
    }

    /**
     * Returns a string that can be passed to the getTrustedParams
     * function as the 'retcode' parameter. If this is specified as the
     * 'retcode', the application will be used as return URL after it
     * finishes trusted sign-in.
     */
    public function getAppRetCode()
    {    
        return 'appid=' . self::getAppId();
    }

    /**
     * Returns a table of key-value pairs that must be posted to the
     * sign-in URL for trusted sign-in. Use HTTP POST to do this. Be aware
     * that the values in the table are neither URL nor HTML escaped and
     * may have to be escaped if you are inserting them in code such as
     * an HTML form.
     *
     * The user to be trusted on the local site is passed in as string 
     * 'user'.
     *
     *  Optionally, 'retcode' specifies the resource to which successful
     *  sign-in is redirected, such as Windows Live Mail, and is typically
     *  a string in the format 'id=2000'. If you pass in the value from
     *  getAppRetCode instead, sign-in will be redirected to the 
     *  application. Otherwise, an HTTP 200 response is returned.
     */
    public function getTrustedParams($user, $retcode=null)
    {
        $token  = self::getTrustedToken($user);
        if (!$token) {
            return;
        }
        $token = "<wst:RequestSecurityTokenResponse xmlns:wst=\"http://schemas.xmlsoap.org/ws/2005/02/trust\"><wst:RequestedSecurityToken><wsse:BinarySecurityToken xmlns:wsse=\"http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd\">$token</wsse:BinarySecurityToken></wst:RequestedSecurityToken><wsp:AppliesTo xmlns:wsp=\"http://schemas.xmlsoap.org/ws/2004/09/policy\"><wsa:EndpointReference xmlns:wsa=\"http://schemas.xmlsoap.org/ws/2004/08/addressing\"><wsa:Address>uri:WindowsLiveID</wsa:Address></wsa:EndpointReference></wsp:AppliesTo></wst:RequestSecurityTokenResponse>";
        
        $params = array();
        $params['wa']      = self::getSecurityAlgorithm();
        $params['wresult'] = $token;
        
        if ($retcode) {
            $params['wctx'] = $retcode;
        }
        
        return $params;        
    }

    /**
     * Returns the trusted sign-in token in the format that is needed by a
     * control doing trusted sign-in.
     *
     * The user to be trusted on the local site is passed in as string
     * 'user'.
     */
    public function getTrustedToken($user)
    {
        if (!$user) {
            self::debug('Error: getTrustedToken: Null user specified.');
            return;
        }
        
        $token  = "appid=" . self::getAppId() . "&uid=" . urlencode($user) 
          . "&ts=". self::getTimestamp();
        $token .= "&sig="  . self::e64(self::signToken($token));
        return urlencode($token);
    }

    /**
     * Returns the trusted sign-in URL to use for Windows Live Login server.
     */
    public function getTrustedLoginUrl()
    {
        return self::getSecureUrl() . 'wlogin.srf';
    }
    
    /**
     * Returns the trusted sign-in URL to use for Windows Live
     *  Login server.
     */
    public function getTrustedLogoutUrl()
    {
        return self::getSecureUrl() . "logout.srf?appid=" + self::getAppId();
    }

    /* Helper methods */
    
    /**
     * Function to parse the settings file.
     */
    private function parseSettings($settingsFile)
    {
        $settings = array();
        $doc = new DOMDocument();
        if (!$doc->load($settingsFile)) {
            self::fatal("Error: parseSettings: Error while reading $settingsFile");
        }
        
        $nl = $doc->getElementsByTagName('windowslivelogin');
        if($nl->length != 1) {
            self::fatal("error: parseSettings: Failed to parse settings file:" 
                        . $settingsFile);
        }

        $topnode = $nl->item(0);
        foreach ($topnode->childNodes as $node) {
            if ($node->nodeType == XML_ELEMENT_NODE) {
                $firstChild = $node->firstChild;
                if (!$firstChild) {
                    self::fatal("error: parseSettings: Failed to parse settings file:" 
                                . $settingsFile);
                }
                $settings[$node->nodeName] = $firstChild->nodeValue;
            }
        }
        
        return $settings;
    }
    
    /**
     * Derives the key, given the secret key and prefix as described in the
     * Web Authentication SDK documentation.
     */
    private function derive($secret, $prefix)
    {
        if (!$secret || !$prefix) {
            self::fatal("Error: derive: secret or prefix is null.");
        }        

        $keyLen = 16;
        $key = $prefix . $secret;
        $key = mhash(MHASH_SHA256, $key);
        if (!$key || (strlen($key) < $keyLen)) {
            self::debug("Error: derive: Unable to derive key.");
            return;
        }
        
        return substr($key, 0, $keyLen);
    }

    /**
     * Parses query string and returns a hash.
     *
     * If a hash ref is passed in from CGI->Var, it is dereferenced and
     * returned.
     */
    private function parse($input)
    {                
        if (!$input) {
            self::debug("Error: parse: Null input.");
            return;
        }

        $input = split('&', $input);
        $pairs = array();
        
        foreach ($input as $pair) {
            $kv = split('=', $pair);
            if (count($kv) != 2) {
                self::debug("Error: parse: Bad input to parse: " . $pair);
                return;
            }
            $pairs[$kv[0]] = $kv[1];
        }
                
        return $pairs;
    }

    /**
     * Generates a time stamp suitable for the application verifier 
     * token.
     */
    private function getTimestamp()
    {    
        return time();
    }

    /**
     * Base64-encodes and URL-escapes a string.
     */
    private function e64($input)
    {
        if (is_null($input)) {
            return;
        }
        return urlencode(base64_encode($input));
    }

    /**
     * URL-unescapes and Base64-decodes a string.
     */
    private function u64($input)
    {
        if(is_null($input))
            return;
        return base64_decode(urldecode($input));
    }

    /**
     * Fetches the contents given a URL.
     */
    private function fetch($url)
    {        
        if (!($handle = fopen($url, "rb"))) {
            self::debug("error: fetch: Could not open url: $url");
            return;
        }
        
        if (!($contents = stream_get_contents($handle))) {
            self::debug("Error: fetch: Could not read from url: $url");
        }
        
        fclose($handle);
        return $contents;
    }
}
?>
